A Public Statement Regarding Ubiquitous Encryption on the XMPP Network Version: 0.5 Last Updated: 2014-03-21 We, as operators of federated services and developers of software programs that use the XMPP standard for instant messaging and real-time communication, commit to establishing ubiquitous encryption over our network on May 19, 2014. Jabber/XMPP technologies were first released on January 4, 1999, by Jeremie Miller. Since then, channel encryption using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) has been optional on the Jabber/XMPP network. Out of respect for the users of our software and services, we believe it is time to make such encryption mandatory. Therefore we commit to the following policies, consistent with the IETF Internet-Draft "Use of Transport Layer Security in XMPP" . For software implementations: o support the STARTTLS method in XMPP as specified in RFC 6120, including mandatory-to-implement cipher suites and certificate validation consistent with RFC 6125 o prefer the latest version of TLS (TLS 1.2), but provide a configuration option to negotiate TLS 1.1, TLS 1.0, or SSLv3 for backward compatibility with existing deployed software o disable support for SSLv2 o provide configuration options to require channel encryption for client-to-server and server-to-server connections o provide configuration options to prefer or require cipher suites that enable forward secrecy o prefer authenticated encryption (via digital certificates) for server-to-server connections; if authenticated encryption is not available, provide a configuration option to allow fallback to unauthenticated encryption with identity verification using the XMPP Server Dialback extension (XEP-0220) o ideally, provide user or administrative interfaces showing: o if a given client-to-server or server-to-server connection is encrypted, authenticated, or both o the version of TLS and the cipher suite in use o details about a server's certificate o a warning about any changes to a server's certificate For service deployments: o require the use of TLS for both client-to-server and server-to-server connections, preferably with authentication (RFC 6125) but as a fallback using unauthenticated encryption in the form of TLS plus Server Dialback o prefer or require TLS cipher suites that enable forward secrecy o if possible, deploy certificates issued by well-known and widely-deployed certification authorities (it is known that multi-tenanted hosting services are unable to obtain or manage certificates for hosted domains) The schedule we agree to is: January 4, 2014 - first test day requiring encryption February 22, 2014 - second test day March 22, 2014 - third test day April 19, 2014 - fourth test day May 19, 2014 - permanent upgrade to encrypted network, coinciding with Open Discussion Day This commitment to encrypted connections is only the first step toward more secure communication using XMPP, and does not obviate the need for technologies supporting end-to-end encryption (such as Off-the-Record Messaging or OTR), strong authentication, channel binding, secure DNS, server identity checking, and secure service delegation. Although we have worked to implement and deploy such technologies and will continue to do so, we believe that encrypting the traffic on the XMPP network is a necessary precondition to offering further security improvements. Signed, Peter Saint-Andre, operator of jabber.org and author of XMPP RFCs Jeremie Miller, inventor of Jabber Simon Tennant, founder and CEO of buddycloud Ltd. Ralph Meijer, operator of ik.nu Thijs Alkemade, lead developer of Adium Matthew Wild, founder of the Prosody IM server project Philipp Hancke, co-author of Server Dialback specification Stefan Eckbauer, CTO of ESTOS GmbH Patrick R. McDonald, operator of the antagonism.org XMPP server Mike Taylor (bear), Operations for &yet Adam Brault, &yet CEO Ralph J. Mayer, operator of nerd-residenz.de XMPP server Andreas Kuckartz, W3C Federated Social Web Community Group Evgeny Khramtsov, ejabberd developer, ProcessOne Jurre van Bergen, developer at USEOTR George Hazan, founder of Miranda NG client Valérian Saliou, founder of the Jappix web-client and operator of the jappix.com server Marco Cirillo, Metronome IM developer, Jappix maintainer and admin of lightwitch.org Nikolaus Polak, operator of linuxlovers.at XMPP server Rafał bluszcz Zawadzki, operator of JabberPL.org Stefan Strigler, operator of jwchat.org XMPP server Julien Genestoux, founder Superfeedr Emil Ivov, founder and project lead of the Jitsi FOSS client Yana Stamcheva, Jitsi developer Yann Leboulanger, Gajim developer Matthew A. Miller, operator of outer-planes.net Lloyd Watkin, on behalf of Surevine Ltd (surevine.com) Artur Hefczyc, Tigase project maintainer Steffen Larsen, XMPP developer (client and server), operator of various domains Ivan Novitskii, VSTalk developer Daniele Ricci, Kontalk project leader Natalia Novosad, take part in VSTalk development Matthias Wimmer, lead developer of jabberd14 Yiorgis Gozadinos, co-founder of crypho.com Alexander Gnauck, XMPP developer (libraries), operator of various servers Tim Schumacher, operator of boese-ban.de & krautspace.de Michael Weibel, developer of candy chat & xmpp responsible for mila.com Luis Gonzalez Fernandez, operator of mijabber.es Georg Lukas, yaxim developer and yax.im operator Fini Decima, Free Software advocate and owner of linuxbsdos.com Nigel Kukard, operator of jabber.iitsp.com Tobias Mädel, operator of twentypercentcooler.de and tbspace.de public XMPP servers Adán Sánchez de Pedro Crespo, founder of waalt.com and developer of loqui.im Kevin Walke, operator of opensheffield.net Nathan Freitas (n8fr8), The Guardian Project & ChatSecure/Gibberbot developer Peter Schwindt, operator of jabber.ccc.de Jonas Wielicki, operator of federated private XMPP servers Fran García, NekBot Developer and nekmo.org operator Dennis Schubert, operator of dsx.cc and developer of Jabberry Ludovic Bocquet, XMPP server operator Benjamin Zimmer, operator of einfachjabber.de Vasil Kolev, operator of ludost.net Danilo Bargen, XMPP server operator Pranesh Prakash, free software advocate and operator of federated private XMPP servers Kim Alvefur, Prosody developer and operator of piratechat.net Timothée Jaussoin, founder and maintainer of the Movim project and admin of the movim.eu server Michał Piotrowski, MongooseIM developer Christian Bendt, operator of twattle.net XMPP server Florian Weps, hactrn.ch operator Thomas Jost, buddycloud enthusiast and operator of pouet.im Thomas Camaran, chatme.im operator Sven Gawlik, operator of jabber.de Sam Whited, operator of formulanone.net and other services James Tait, buddycloud enthusiast and operator of wyrddreams.org Holger Weiß, operator of jabber.fu-berlin.de Mathieu Pasquet, poezio developer Aleksey Bryohov, jabberon.ru service operator Roman Kolchigin, operator of jabbik.ru, jabberik.ru Alexey Skobkin, operator of skobkin.ru Sergey Skripnick, operator of jabber.com.ua Alexzander Shevchenko, operator of wotapi.ru Linus Nordberg, operator of adb-centralen.se and other services Oleg Alekseenko, owner of jabberworld.info, operator of linuxoid.in Mike Gogulski, developer of python-otrxmppchannel and other XMPP software Rene Dhemant, operator of Jabber-Server.de